Add to collection(s) Add to saved
  1. Business
  2. Finance

siems

advertisement 
SIEMs - Decoding The Mayhem
Bill Dean
Director of Computer Forensics
Sword & Shield Enterprise Security Inc.
Outline
• Today’s Threat Landscape
• Why Do I Need a SIEM?
• Choosing and Deploying a SIEM
• This Will Not Be Boring
Computer Security LandScape
• You Are Being Blamed
• Your Money Isn’t Safe
• Your Information Isn’t Safe
• Your Reputation Is at Stake
• More Threats, Less People
Your Are Being Blamed
• BotNets
• Pivoting
Stealing Your $$
Stealing Your Information
• Computers Are No Longer for “Productivity”
• You Have Valuable Information
• You ARE A Target
• You Aren’t Dealing With “Amateurs”
Hactivists – Exposing Your Secrets
Hactivists – Exposing Your Secrets
Hactivists – Business Disruption
Your Challenge
SIEMS
You Need An “Oracle”
• Know The Past
• Knows The Present
• Knows The Future
• Knows How to CYA
SIEM Basics
• Provides “Instant Replay”
• 24 X 7 Security Guard
• SIEMs v. Firewall v. IDS v. IPS
• SIEM v. SEIM v. SIM
• Typically Compliance Driven
Compliance
• HIPAA
• PII
• Data Breach Notification Laws
Why Do I Need A SIEM?
• Infrastructure Monitoring
• Reporting
• Threat Correlation
• Instant Replay
• Incident Response
What Is Monitored?
• Account Activity
• Availability
• IDS/Context Correlation
• Data Exfiltration
• Client Side Attacks
• Brute Force Attacks
Windows Accounts
•
•
•
•
•
•
Accounts Created, By Whom, and When
New Accounts That Aren’t Standard
New Accounts Created At Odd Time
New Workstation Account Created
Key Group Membership Change
Accounts Logon Hours
19
Availability
• System Uptime Statistics
• Availability Reporting
• Uptime is “Relative”
IDS Context/Correlation
• Place Value On Assets
• Context Is Essential
• Maintain Current Vulnerability DBs
• Create Priority Rules
21
Data Exfiltration
•
•
•
•
You Must Know What Is “Normal”
Deviations From The Norm Warrant An Alert
Some Events Are “Non-Negotiable”
“You” Typically Initiate Data Transfers
22
Client Side Attacks
• Windows Event Logs Information
•
•
•
•
Process Status Changes
New Services Created
Scheduled Tasks Creations
Changes to Audit Policies
23
Brute-force Attacks
• Detailed Reports of Failed Logins
• Source Of Failed Login Attempts
• Locked Accounts Report
24
Incident Response
Incident Response Scenario #1
• Law Firm With Dealings In China
• Law Firm Was “Owned” More Than A Year
• Access To Every Machine On Network
• Thousands of “Responsive” Emails Obtained
•“Privilege” Was Not Observed
Incident Response Scenario #2
• VP of Finance Promoted to CFO
• Attack on the “Weakest” Link
AV Will Save Us!!
Incident Response Scenario #3
http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx
How SIEMs Would Have Helped
• Accounts Enabled
• Services Created
• Firewall Changes
• Data Exfiltration
• Network Communications
• Incident Response Costs
Choosing A SIEM
• Not a Replacement for Security Engineers
• Must Support Disparate Devices (Agentless)
• Don’t Plan To Monitor? DON’T BOTHER
Deploying a SIEM
• Architecture Options
• Tuning Out The “Noise”
SIEM Option$
• OutSourced Options
•SecureWorks
• High-Cost
•ArcSight, Q1 Labs Radar, RSA, Tripwire
•Lower-Cost
•Q1 Labs FE, TriGEO, Splunk
• No-Cost
•OSSIM
•OSSEC
Summary
• You Must Anticipate Today’s Threats
• SIEMs Are Extremely Valuable
• SIEMs Are Not A Silver Bullet
Questions?
Bill Dean
Director of Computer Forensics
Sword & Shield Enterprise Security Inc.
bdean@swordshield.com
http://www.twitter.com/BillDeanCCE
Related documents
I.T. Security: Protecting Your Key Corporate Assets
I.T. Security: Protecting Your Key Corporate Assets
SIEM Based Intrusion Detection
SIEM Based Intrusion Detection
SOC or SIEM?
SOC or SIEM?
Why SIEM Implementations Fail?
Why SIEM Implementations Fail?
Regional Marketing and Communications
Regional Marketing and Communications
HYYA
HYYA
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
eMagic SIEM
eMagic SIEM
Protective Monitoring
Protective Monitoring
AHTS VS491 CD - Siem Offshore AS
AHTS VS491 CD - Siem Offshore AS
Setting Up a SIEM Update Server - Documentation
Setting Up a SIEM Update Server - Documentation
edrvssiem-180119022538
edrvssiem-180119022538
Worldwide Security Information and Event Management Market Shares, 2018: By Size of Business — The Attempt to Serve All Client Needs
Worldwide Security Information and Event Management Market Shares, 2018: By Size of Business — The Attempt to Serve All Client Needs
Security Information and Event Management SIEM Ana (1)
Security Information and Event Management SIEM Ana (1)
List of Publications, Ann-Cecilie Larsen in 2006.
List of Publications, Ann-Cecilie Larsen in 2006.
The-Essential-Guide-to-SIEM
The-Essential-Guide-to-SIEM
Download
advertisement